Blocking Internet Explorer 8 Automatic Delivery
Microsoft is getting ready to release Internet Explorer 8. The latest available version of Internet Explorer for Windows XP (SP2+), Windows Vista, Windows Server 2003 (SP2+) and Windows Server 2008 will be delivered as a Windows Update soon. Windows 7 will feature Internet Explorer 8 built-in.
Rendering in Internet Explorer 8
Besides improved reliability, security, performance and a handful of new features, Internet Explorer 8 introduces a new rendering engine, which is enabled by default. In recent news it was found that most websites are not capable of presenting content 100% as intended in Internet Explorer 8, compared to Internet Explorer 6, Internet Explorer 7 and other common browsers.
Internet Explorer breaks with a tradition. In the past Internet Explorer wasn’t the most standards-compliant browser in the world (understatement…), but with Internet Explorer 8 Microsoft is trying to show its good side, with these nasty consequences as results.
While the Compatibility View functionality in Internet Explorer 8 offers the ability to open web pages with Internet Explorer 7 compatible rendering settings, this may not be an adequate solution. It’s definitely not a good solution for companies trying to stick with Internet Explorer 6.x.
Your web based application may be affected by the new rendering engine. When this is the result of testing your application, you might decide not to deploy Internet Explorer 8. This blogpost shows you your options:
- The Graphical User Interface (GUI)
- The Internet Explorer 8 Blocker Toolkit
- Windows Server Update Services (WSUS)
The Graphical User Interface
If you are a an administrator of your machine and as soon as the Internet Explorer setup is downloaded you will have three options:
- Install: The installation procedure will start after the genuine windows check and the homepage, favorites and search settings will be kept.
- Do not Install: You will not be asked again to install Internet Explorer 8, however if you have admin privileges you can always use the optional update to install Internet Explorer 8 afterwards.
- Ask again later: The installation process will be canceled and the Automatic Updates will ask you again after 24 Hours.
IE8 Blocker Toolkit
Microsoft has now released the Internet Explorer 8 Blocker Toolkit to block automatic delivery of Internet Explorer 8 to machines in environments where Automatic Updates are enabled. It offers three ways to block Internet Explorer 8 indefinitely from your environment:
Through a script
The Toolkit to Disable Automatic Delivery of Microsoft Internet Explorer 8 comes with ie8blocker.cmd. You can use the handy script to disable the delivery of Internet Explorer 8 through a machine startup script or perhaps a user logon script (if in the unlikely case you allow your users to be local administrators)
The script has the following command-line syntax:
IE8Blocker.cmd [<machine name>] [/B] [/U] [/H]
Using the /H or /? switch will help you further in your scripting quest. Don't worry if you mess up: the script can be run multiple times on the same machine without any problem.
Through the registry
The IE8Blocker.cmd script in the Toolkit to Disable Automatic Delivery of Internet Explorer 8 creates a registry key and sets the associated value to block or unblock (depending on the command-line option used) automatic delivery of Internet Explorer 8 on either the local machine or a remote target machine:
- When the key value name is not defined, distribution is not blocked.
- When the key value name is set to 0, distribution is not blocked.
- When the key value name is set to 1, distribution is blocked.
You can create this registry setting manually too if this is a more appropriate method for your environment.
Through a group policy
When you’re a fan of Group Policy (like I am) the Toolkit offers to disable the automatic delivery of Internet Explorer 8 a custom *.adm file with which all of you know your way around. If not I suggest you have a little chat with Darren Mar-elia or other Group Policy gods.
In the Internet Explorer 7 era Microsoft introduced a new container within Administrative Templates for the Computer Configuration called "Automatic Updates Blockers" underneath the Windows Update container. I expected further use for the container then, but the IE8 blocker is actually located inside a new container named "Automatic Updates Blockers v2".
In suspect the reason behind the new v2 container is the registry settings, corresponding with the Group Policy settings are not stored in a policies key and are thus considered a preference. Group Policy preferences were not available yet in the Internet Explorer 7 era.
Windows Server Update Services
In enterprise environments the tools of choice to control which updates get delivered to what (groups of) computers and servers are the free Microsoft Baseline Security Analyzer (MBSA), Enterprise Update Scan (EUS) tool, the free Microsoft Windows Update Services add-on to Windows Server, Microsofts aging Systems Management Server or of course Microsoft System Center Configuration Manager. Pick your tool of choice here.
Internet Explorer 8 might prove to break your mission-critical web based application. As a last resort you might decide to block Internet Explorer 8 from your environments.
You have plenty of tools at hand to defend your networks. Use them wisely.
To IE7 or not?
Deploying and managing FireFox centrally
Toolkit to Disable Automatic Delivery of Internet Explorer 8
Internet Explorer 8 Blocker Toolkit Q&A
Internet Explorer 8 Delivery through Automatic Updates
Internet Explorer Product Site
Readiness Toolkit for Developers, Testers & ITPros
Microsoft Update Management Solutions
5 things every web developer should know about IE8
IE8's standards compatibility promise
Microsoft: ‘We feel a strong obligation to customers with IE8′
Preparing Web Sites for Internet Explorer 8
Compatibility Mode in IE8
Preparing for IE8
Microsoft's Interoperability Principles and IE8